One of the handouts from our visit to Jeffco Elections was an
attempted repudiation of DRE critics distributed by www.electioncenter.org,
which I found much fault in. As follows:
--
Pete Klammer /
ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
3200
Routt Street / Wheat Ridge, Colorado 80033-5452
(303)233-9485 /
Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
Idealism may
not win every contest, but that's not what I choose it for!
---
Klammer Critique of “DRE's and the
Election Process”
A document titled “DRE's and
the Election Process” is being provided by The
Now
that Direct Recording Equipment (DRE) voting systems are growing in acceptance
and use in American elections, it is almost inevitable that some groups,
individuals and organizations will claim that such systems are not safe enough
to use in elections.
The rejection of DREs is now
growing faster than the acceptance, just as fast as full understanding of their
risks is spreading; the apparent perceived need for this document is tacit
admission of this turn in fortunes against hasty
salesmanship.
And
this argument is not new. When
lever machines were first introduced into the elections process, all those
favored paper used the same kinds of arguments. When IBM first started computer counted
punchcard voting, many of the same kinds of arguments were
made.
Every different technology poses its own challenges. Lever machines, indeed, were paperless, so some similar arguments apply; no DRE critics are nostalgic for them. Furthermore, the sins of lever machines and butterfly ballots give DREs no virtue; so unless you're arguing "lesser of two evils," what is the point?
Because DRE’s represent another shift in the kinds of technology used for
elections, we see the renewed fears of introducing the newer technology. It is entirely normal for these
arguments to arise as we shift to a generational change in the types of voting
systems used.
The objections to DREs are
valid criticisms of vulnerabilities, not “fears”, and certainly not “renewed
fears”. What is “entirely normal”
is for technological improvements (for example seat belts or unleaded gas and
catalytic converters) to be welcomed, and technological threats (for example the
ozone hole, global warming, or carcinogenic additives) to generate vocal criticism seeking
relief and remedies.
The
problem is that well intentioned people, some of them even highly educated and
respected, scare voters and public officials with claims that the voting
equipment and/or its software can be manipulated to change the outcome of
elections. And, the claim is, it
can do so without anyone discovering the theft of votes.
No, the problem is not that
experts “scare” voters. The problem
is that careful, reasoned, informed expert analysis of DREs is putting a damper
on sales just when vendors thought they could cash in on the HAVA funding
bubble. And the concern is not
limited to the so-called “paranoid” concern about deliberate manipulation, but
goes much further into many possible modes of failure. What makes these possibilities so
devastating is that, no matter whether deliberate or accidental, there is
absolutely no means of detecting vote shifting or misrecording in paperless
DREs. To focus solely on the
less-plausible “theft” scenario is deliberate distraction from the historically
evident “flaw” scenarios.
Since
so many people tend to distrust technology they have limited knowledge about, it
only makes the situation worse.
No, it is good to have a
healthy skepticism of technology, especially if knowledge is hidden behind
“proprietary” secret barriers; such skepticism eventually makes the situation
BETTER.
Let’s
confront the problem directly: it is highly probable that any machine devised by
humans can be broken by humans. So
ANY technological argument to the contrary seems to be doomed from the very
beginning. We can take precautions,
we can make it more difficult, but the end analysis is that you cannot build a
totally secure voting device.
Let’s be a little more
intellectually honest than that: instead of dismissing DRE failures as among
insignificant theoretical remote possibilities, how about considering the
risk-vs.-benefit ratio? Sure, “any
machine devised by humans” can be broken, but the difference is: what is the
impact, and what is the recovery?
If an ATM fails, you can go to another ATM, or you (or your bank) can
discover through reconciliation later that something doesn’t balance, and
recover with adjustments. If a
jetliner’s electronics fail, the pilots are still in the cockpit, and can fly
manually. If your cell phone
malfunctions, you can redial, and you can request a credit from your phone
company. But if a DRE fails to
report your vote in the right column at the end of the day (this has been
documented happening), or if it even records your ballot as blank (this has been
documented happening), you will never know after you “cast” it, the election
judges cannot tell whether any votes are in wrong columns, or who the blank
ballots came from, and indeed if the entire vote count disagrees with the number
of voters that day (this has been documented happening), there is absolutely no
backup to reconstruct what should have happened. And if the questionable count
discrepancy exceeds the margin of victory in a particular race (this has been
documented happening), then the impact may or may not be an altered election
decision. So it is disingenuous to
equate paperless DRE failures with other classes of equipment
failures.
The
real question is, can you gain access to the software, change it, have it
manipulate the results for one or more races, have it not be evident when you do
the pre-election test, erase itself before the post election test, and get away
with it totally undetected?
No, this is not the real
question; this is a “fake bogeyman” distraction. The real question is, when (not if, but
when) any malfunction occurs, can it be detected, and can it be
corrected?
As
usual, this all boils down to appropriate election policies and procedures, and
with an understanding of what it would take to do all of the above and get away
with it without anyone discovering what you did (or
attempted).
There is no procedure that
can reproduce voter intent out of thin air, once the touchscreen inputs have
been reduced to some bits and the screen is erased. The only party able to “get away with”
anything, is the vendor who cannot be accused of equipment failure, since a DRE
is cleverly devoid of any proof of failure.
Voters
need to know that even if the election official is sloppy about some procedures,
that it is still improbable (vs. impossible) a "rogue vendor" could act alone to
change election results (to use an allegation that has been
made).
To quote a wise old saying,
nothing in politics is just coincidence; even if it starts out that way, it
becomes immediately exploited.
Detection and correction of paperless DRE misrecording does not depend on
sloppiness or diligence; it is equally undetectable in either
case.
Here
are the steps that a person would have to go through to be able to change the
outcome of an election.
By postulating the
hypothetical “person” against all these deliberate barriers, this argument
purports to demonstrate the near impossibility of election flaw. The problem with this argument is, the
majority of machine malfunctions have nothing to do with anyone’s deliberate
attempts at anything. No one was
“trying” to break into the Mars Rover when its flash memory got messed up; it
just got into a real-use situation that testing didn’t
anticipate.
A)
You have to know the language the software was
written in (not English, Spanish, etc., but rather the programming
language)
Entirely false. The users who operated the Therac-25
cancer-radiation machine did not know the language its firmware was written in,
yet certain of their actions caused that machine to overdose and kill three
patients because they unknowingly activated a flaw that test decks missed. Telephone-system hackers discovered
touch-tone sequences to make unauthorized calls without knowing the language the
phone systems were written in.
Software language knowledge is not requisite to accidentally or
intentionally cause a system to malfunction.
B)
You have to know every location in the software
where it checks on itself to verify that the numbers it is reporting are
accurate;
Not so. This argument assumes the goal is to
produce a perfectly-functioning program that reports inaccurate numbers. That is only one single mode of failure
among hundreds. For example,
disrupting, or even merely delaying, proper reporting can alter the course of
elections.
C)
You have to know the language AND VERSION of the
compiler that was used to compile the program (it converts the program from a
human readable form to machine language)... in order to “reverse engineer” the
software you must have the identical version of the compiler in order to reverse
engineer it;
This is ridiculous
over-specification. Many aspects of
software are identical from one version of a compiler to another. Indeed, many common source statements
can be efficiently expressed in compiled machine code only one way, regardless
of compiler version. Just because
the writer can’t imagine it could be otherwise, only reveals the limits of the
writer’s imagination.
D)
You have to gain access to the software for a
long enough period to actually replace it;
There is no need to replace
any software, if the flaw already exists in it. Most “bugs” in software have been
present since the program was originally written; it is only under unexpected
circumstances of real-life use that they get exercised. If real-life use is undocumented
(paperless), and documented (test-deck) use is not real-life, how can such bugs
ever be found or fixed?
E)
You have to make the software ignore the
pre-election test or tests and only initiate itself on election day;
It isn’t a question of
“making” the software ignore anything.
It’s a problem of coming of with every conceivable permutation of inputs,
timing, voltages, temperatures, handling, logic, code paths, capacity
utilization, error conditions, overloads, and abuse, which could possibly occur
in the course of election day, and testing for them all, on every single
machine. That’s impossible, of
course, so the DRE advocates are reduced to assertion that they have tested
“enough” – whatever they decide that is.
F)
You have to have the software be able to
actually change votes throughout the day and do so
undetected;
Patently false; yet patently
true. Alternatives: offsetting
counts or shuffled columns could be set at poll opening. Or counting could be faithful all day
long but something happens just at poll closing. But if votes are being recorded without
voter-verified paper for comparison, wouldn’t any changes be, by definition,
“undetected”?
G)
The software must be able to erase or conceal
itself before any post-election test.
A flaw or misdirection that
is not exercised by any test, doesn’t have to conceal itself at
all.
H)
If the software is programmed onto a ROM (Read
Only Memory) chip then you have to have physical access to the units.
And if the software is
programmed from paper tape then you have to have physical access to the spools
of tape. Duh. (ROM is rarely used in modern DREs. Which is part of the problem: “flash
memory” or “electrically-erasable programmable read-only memory” (EEPROM) allows
a machine’s code to be changed any number of times between the time it is
manufactured, accepted, tested, installed, used, or audited. Indeed, there are cases in which the
version of firmware used in an election is no longer available for anyone’s
inspection anywhere. “One-time
code,” eh?
I)
With access to the units, you must be able to
remove enough of the ROMs in the units to reprogram them. This entails having enough time to
either erase the ROMs installed in the units or having enough supplies of
identical ROMs that you can have them preprogrammed and inserted into the
units... all undetected.
This line of argument is
getting more and more phony.
Typical DREs are reprogrammed through a compact media port, very similar
to the slot or jack used to transfer photos from digital cameras. Newer units are even reprogrammable
wirelessly, so that a warehouse full can be prepared for the next election
without removing screws or opening cases.
And whatever the good guys can do, the bad guys will try to exploit,
too.
J)
You then have to have access a second time to
remove the “malignant” ROMs after the election and replace them with the real
ones you removed (so that you can get away with the election fraud undetected).
Most flash-memory systems
can be reprogrammed or erased from within, so that deliberate bad code can erase
its tracks, like a disappearing Cheshire cat, upon any suitable condition
(election period over, election day past, non-election usage detected, even
case-opening or maintenance-mode detection could be triggers to turn malicious
code into innocuous “diagnostic” or “hardware-assist utility” code. But this whole line of argument is too
clever by half. The bigger danger
is erroneous operation under certain conditions or loads or capacities, which
does not have to be removed, because it is never detected, because it is
unobservable when it happens.
K)
You have to do this not only on enough machines
in one jurisdiction (unless your intent is to manipulate a local election – and
why would anyone take these kinds of risks for a County Commissioner’s race, or
Sheriff’s race or Mayor’s race?), but in many jurisdictions in order to steal a
Congressional race or state race?
And for the presidency, this would involve thousands and thousands of
people...unless of course we go to one system nationally (or Internet voting).
Since hundreds or thousands
of DREs are programmed identically, a flaw in one is a flaw in them all, and the
execution of the flaw only depends upon whether and when each machine is brought
into the conditions that elicit those flaws. Similarly, a patch is typically
programmed in one place, and then distributed to hundreds or thousands of
machines for identical installation.
The writer of the patch does not have to visit all those machines in
order to affect each and every one’s operation.
L)
In states with multiple vendors of DRE’s it
means that you have to go through the entire process for EACH type of DRE (and
still be able to get away with it).
Every brand of DRE has
exhibited flaws of one kind or another.
The most damning evidence of flaw are the post-sales patches. Clearly, certification and ITA testing
does not produce bug-free software, otherwise no patches would ever be necessary
after certification. So no software
can ever be known to be bug-free.
Then why is it ever considered good enough to “go bare” without paper
backup.
M)
Even in Central processing of election results
through an Election Management Software package, you still have the individual
results of local precincts (and each unit therein) and can verify the results as
reported by them in comparison with the Election Management System results.
By the time you get to
Central processing of DRE results, it’s too late. The damage is done. All Central has to look at is the
numbers the DREs produce. Whether
those numbers are what voters touched in, or not, is lost. Permanently. Irrevocably.
Forever.
N)
In many states, there is a requirement to escrow
the software, so that you can compare the software in the units with the
escrowed software.
This would be a good thing,
if experts would be allowed to study that software and scrutinize it for bugs
that the vendor, the ITA labs, the state authorities and county administrators
might have missed. But since most
DRE software is locked away under court-protected “proprietary” lock and key,
this is practically useless. But
more fundamentally, if a DRE undetectably reassigns any screen touches to
different ballot positions, and no audit or recount can possibly reveal that,
what difference does code escrow make?
O)
Even in states where this is not so,
To the degree that firmware
used in elections is in fact so secured, this is a good thing only as far as
described above. But to the degree
that vendors and administrators decide last-minute emergencies justify urgent or
temporary installation of fixed or patched firmware, this is equally
useless. But how does this make up
for paperless concealment of operational inaccuracy? Does a voter, who has no tangible
evidence of verified operation when he leaves the voting booth, say to himself,
“Well, since NASED has a copy of this firmware, I don’t need to verify my
vote”?
P)
You now have to have the involvement not just of
one or two people but significant numbers of folks to make all this happen
undetected, actually change the outcome, and get someone elected who should not
have been elected.
You may need all those
people make happen what you described, but your scenario is just one of a
hundred, and one obviously chosen to be easily punched full of holes. The reality is, there are many more
kinds of failure we can think of, and probably (if history is any guide) a lot
that we can’t think of yet. Which
is precisely why we need tangible, physical-artifact
ballots.
Q)
A piece of paper that the voter sees does not
guarantee that the same results will be recorded within the machine – if you
want to manipulate the election, show the voter whatever the voter wants to see
and still manipulate it later. Security experts will still argue the value of
having paper for recounts.
Exactly why paper must have
priority, and DREs shouldn’t even have counters or memory. If you have two records of vote – one
hard-to-alter one which the voter verified, and one easy-to-alter one which was
created in a manner concealed from the voter, which is more credible? If there’s a risk of discrepancy, why
even keep the dubious one at all?
The only serious argument among credible security experts about paper
recounts is how to make sure the paper is made accurately, reliably, speedily,
and economically countable.
R)
The current solutions presented by the vendors
as a result of their concerns for the validity of the results have their own
limitations, because:
a. They
add a printer, which can run of ink, ribbon, or
paper
Gosh! And a DRE touchscreen can run out of
battery power, get out of alignment, or fade its pixels, right? This is a phony argument that acts as if
adequate reliability engineering, along with modular system design, were just
“too hard” for the poor vendors.
Lottery-ticket printers along are testament to the achievability of the
callenge.
b. Paper
can jam
Or a DRE can fall on the
floor and break.
Phony.
c. Printer can be disconnected from power source).
So could the DRE. Or the DRE might have internal
battery. Or the printer might,
too. Or you might just plug the
printer back in, ever think of that?
d. (All
of these mean having to repair the units during an election with repetitive
jams, running out of paper, or ink, etc).
For $29 you could attach a
Gorilla Banana printer and have sturm and drang all election day long as
election judges who have never touched a Commodore-64 in their life struggle to
get them into or out of graphic-block mode. Or for $4399 apiece you could attach a
Xerox Phasor color duplex printer with meant time between failure and enough
solid dyestuff for over a thousand elections 99.999% problem-free. Or for a small few hundred dollars you
can solve this problem without these phony scare
tactics.
e. They
add weight to the units (complicating precinct setup, shifting control of
delivery and setup from poll workers to expensive delivery services along with
quality control and security efforts over those services).
There are printers and there
are printers. If you are determined
to convince election directors of all these burdens, you can model a 60’s-era
drum printer, the size of a chest
deep-freeze, complete with alternative ASCII and EBCDIC drums. Or you could recall that DREs weigh
more, require more expensive setup, quality control and security efforts than #2
pencils and paper ballots, don’t they?
f. Voters
can, and probably will, walk off with ballots with some of the solutions
presented(vote buying?)
A walk-away ballot is not a
cast ballot (we’re not going to count or record in these ballot-marking DREs,
remember?), and this is no different from paper and pencil ballots before any
automation at all: if it’s not cast, it’s not a vote, and it can’t be
sold.
g. Inability of blind voters to check their ballots (Braille printing only
covers 10 percent of the blind).
Ballot templates (stencils)
are one of several alternative means for private, secret, independent voting by
the blind. Another alternative is
an audio-equipped polling-place scanner, so that the blind user can use an
audio-assisted touch-screen ballot marker (exactly as a DRE would have been
used), and then verify his paper
ballot, and cast it indistinguishably from everyone else into the same ballot
box.
h. They
add significant cost and complexity to the voting unit and to the skills
required to support them in a voting location.
The cost and complexity of a
printer is small relative to the touchscreen it is attached
to.
i. While
the voting system may accurately reflect how the voter has voted and print an
accurate reflection of that vote as a receipt, what happens when the voter has
electronically “cast” the ballot but now claims the printed receipt is
different? You now introduce
serious credibility claims that can irreparably damage the elections
process...and they will insist on keeping the printed ballot as evidence of
“fraudulent programming of the machines.”
Exactly why only the paper
ballot (not a “receipt”) counts.
The non-counting, non-recording DRE, or touchscreen ballot marker, no
longer comes into play or dispute.
A voter-verified paper ballot does not need a DRE to back it up, because
it is a tangible physical artifact that has such unique properties of matter
such as: it cannot be in two places at the same time; it cannot be replicated
without additional artifacts, it cannot pass into or out of a box or room
undetectably; it cannot be destroyed by remote keypress without trace of ash or
smoke or shreds; all of which are manifest weaknesses of the oxymoronic
“electronic ballot”.
j. Or,
once printed receipts leave the polling site (which will be difficult to prevent
at the precinct level) do you now introduce the ability of fraudulent
reproduction of printed receipts intended to confuse and contrive the process?
Physical paper ballots are
much easier to protect against fraudulent replication than so-called “electronic
ballots”! You realize, of course,
that most “cut, copy, and paste” these days is accomplished without scissors or
glue, don’t you?
The
point is simply this: do not be misled into believing that elections are reliant
upon technology which can be manipulated.
The real question of whether there “are sufficient and proper safeguards
to make it highly improbable?” And
the answer to that is yes. It may
be possible to do many things, but like time travel (which is theoretically
possible), it is highly unlikely at this time.
Hokum. The likelihood of DRE malfunction, which
has been documented dozens of times in every election season over the past
decade, is not comparable to time travel, which has not been demonstrated
anywhere. To compare these two is
as apt as comparing street rape to the Virgin Conception. The point is simply this: do not confuse
“absence of evidence” with “evidence of absence”. Although DREs may not have been designed
in order to conceal flaw or fraud, they do, by their design in fact conceal flaw
or fraud. Even more, they relieve
their makers or implementers (election officials) of any responsibility for
flawed or fraudulent operation, since it is undetectable, and even where
suspected, it is by design unprovable and undocumentable. If there is one lone voter for a
candidate in a precinct, and the count for his candidate comes up zero (0) at
the end of the day, you know what the authorities will respond? Either “you made a mistake, you were
confused,” or else “you’re lying, you’re deliberately trying to spoil this
election.” So how can any other
voter have any better confidence, if there is no verifiable tangible evidence
that his vote didn’t get shaved?
The real question is this:
if election officials know machines may be imperfect, but also know that these
machines by their very design conceal any imperfections, then why do they so
steadfastly resist the remedy?
Experts and critics aren’t scaring the voters, elections officials
are!
Each
of the systems is programmed at the LOCAL level. It is true that each local election is
using the same base machine operating system but it is individually programmed
locally. Manipulation of races for
national or statewide offices or regional offices (Congress, state legislature)
is far more difficult because it is highly unlikely that each of those races
will appear in the IDENTICAL byte spot on each machine and would vary from one
local jurisdiction to the next.
Less than a half-dozen basic
models of DREs, with ballot layouts prepared from just a few different setup
programs, will control over 50% of the electronic votes in the next
election. The incumbent president’s
name is the same in all of these voting machines. Votes are not assigned by byte location,
they are assigned by candidate name, and party name. Byte location has little to do with
these possibilities.
Another allegation made by some is that the software should be in the
public domain rather than proprietary, leaving the impression that the software
is secretly controlled by a company or individual. Simply because the software is not open
to every hacker in the world, does not mean the software is not reviewed and
exposed to public scrutiny.
Open-source software
probably has lower bug rates than proprietary software, but definitely has
greater public confidence than proprietary software. Indeed, every time a proprietary program
is opened to the public for the first time, a rash of bugs and sometimes even
back doors are immediately discovered.
The
national testing program for the National Association of State Election
Directors (
Thank you for asking. In the case of software whose correct
operation is so critical to the common public good, the answer is simply
“yes”.
Since
the source code is escrowed with our national Independent Testing Authorities,
and additionally as a condition of approval in many states or local
jurisdictions, it is not secret code.
In an appropriate governmental investigation or court inquiry, it can be
compared from the machine to the escrowed versions. This is an appropriate safeguard for the
public interest.
The stream of patches that
follow ITA-approved code is ample evidence that ITA approval does not eliminate
bugs. And many vendor’s urgent
willfulness in flouting restrictions against non-certified code, in order to
install firmware which (apparently) is necessary to avoid catastrophic election
failure, is ample evidence that the ITA-approved code is not just trivially
imperfect, it is sometimes critically, fatally imperfect. So ITA escrow does nothing to alleviate
the need for voter-verified paper ballots.
Additionally, the nation’s ITAs REQUIRE that they witness the build of
the software so they can assure an added layer of precaution is built into
software security.
All of the DRE failures to
date have taken place with ITA-witnessed-built firmware. So ITA witnessing of building of
firmware does not eliminate flaws, and does not obviate the need for an
independent auditable recountable physical
ballot.
The
genius of the American democratic process is its diversity. Since we use so many different types of
voting equipment, provided by so many different vendors, and because elections
are controlled by so many local elections offices, it makes manipulating an
election in
In fact, more than 90% of
DRE’s come from less than a half-dozen vendors.
The
ability to manipulate an election with DREs, combined with election practices
and procedures, means it is highly unlikely to be able to do this and get away
with it. You can still manipulate
an election easiest with hand-counted paper ballots.
To argue that national-scale
election manipulation is hard, does not dismiss the need for credible paper
ballots. It also ignores the fact
that paperless DREs make widespread uncontestable misrecording of votes now more
possible than ever before.
The
reality of a discussion on the technological possibilities of manipulation is
that no one is ever satisfied with the technological arguments or counterpoints.
For every technological challenge there is a technological solution or counter
challenge, none of which ever satisfy the other parties. It has to be proven that such challenges
can be carried out successfully without possibility of detection when you
combine the technological aspects with established testing procedures, election
management procedures and public scrutiny of elections.
The difference in this case
is, there is not a tradeoff of degrees or weights or relative costs. In the special case of paperless
electronic voting, the cost of recovery is infinite, since there is absolutely
nothing to reconstruct from. In
every other aspect of the election, it is at least possible, at some cost and
given adequate time, attention, and determination, to reveal or repair or
prevent the damage. But a flipped
bit inside a DRE makes no noise, leaves no footprints, cannot be distinguished
from its unviolated neighbor.
We
appreciate and respect those who question the process and we understand their
fears. And we do not take their
concerns lightly. While conducting
elections is likely to be an imperfect process, it is a process built upon more
than 200 years of experience in how to provide appropriate safeguards. Like most situations in the electoral
process, it rarely boils down to a technological issue. It almost always comes down to policies,
procedures and people doing what they are supposed to
do.
The style and content of
argument put forth in this document betrays a profound contempt and disrespect
for the preponderance of evidence and the overwhelming majority of expert
opinion that paperless electronic voting is an unjustifiable risk and threat to
democracy. It’s as if they were
saying, “So what if the wrong guy gets elected once in a while, how bad can that
be?” The bad is, American
participation in the election process is discouraged by a concealed, opaque
process using proprietary, corporate, closed machinery that the voter is
exhorted to accept on blind faith.
With a paper ballot and a legitimate process administered by honest
officials, the voter has the opportunity, should he so choose, to follow his
ballot from the tip of his pencil to the final official certification of
election. Paperless electronic
voting breaks this path rudely, insultingly, and will leave many voters feeling
more alienated and disenfranchised than ever.
Is the convenience, or
speed, or economy, of paperless DRE worth this degradation? Any sensible voter given a full
explanation and free choice, will say not, and demand the fundamental right to
personally cast an anonymous durable paper
ballot.